Stop skirting network security

Abe Kleinfeld, CEO of nCircle Network Security, says corporations need to be responsible for their own protection.

17 May 200412:00 pm BST

Network security has become the thing that keeps executives up at night.

With each new security epidemic, such as the recent Sasser worm, the debate over the effectiveness of current security technologies and practices are called into serious question.

Even though security is one of the biggest concerns for almost every organization the world over, the number of attacks increases year over year, with each one more devastating than the last. In recent years, major investments have been made to stem the tide of the attacks, but only a handful of companies have been truly successful in securing their networks.

Get Up to Speed on...Enterprise securityGet the latest headlines andcompany-specific news in ourexpanded GUTS section.

Attacks, which are entirely preventable, continue to cripple corporations. Millions of dollars and thousands of hours are spent recovering from the latest threat. As organizations bet their businesses on the integrity and security of their network, they can no longer continue to live in a world where one attack can be catastrophic.

For many reasons, network security is failing and corporations need to undergo a fundamental shift in how they approach security, where the focus is on more than just technology solutions. Network security needs to grow up fast.

First, corporations need to realize that network security issues aren't going to go away. Like crime, security attacks will never be eliminated, as long as people see a challenge in outwitting the system or can make a profit from it.

Corporations have to look at this issue in the long term and realize that they're always going to be in a battle against increasingly sophisticated criminals. The onus will be on the corporation to be diligent and vigilant, to make sure that they're always a step ahead.

When it comes to public policy, governments are responsible for putting deterrents and punishments in place. But again, just being illegal won't stop breaking and entering from happening. Just as you take measures to protect your house by locking the doors and installing an alarm, companies need to safeguard their critical assets from security breaches and attacks. Prosecuting intruders who enter your house or network may eliminate that specific threat, but there's always 10 more waiting in the wings.

While technology has a key role to play, there will not be a major breakthrough any time soon that will overcome these challenges.

The onus will be on the corporation to be diligent and vigilant to make sure that they're always a step ahead.

Software and hardware vendors that provide the underlying infrastructure for corporate networks are under increased pressure to ensure that products are shipped securely and free of flaws that can exploited.

During the past 12 to 18 months, there has been a shift in how large vendors approach security issues and issue patches. In responding to increased pressure from customers and the industry as a whole, vendors have been forced to take steps to reduce the number of vulnerabilities found in products.

But software applications are not getting any simpler. As customers continue to demand more and more features, software will interact with more applications and work over increasingly complex networks. This breeds even greater complexity, which introduces even more vulnerabilities that will need to be addressed.

The bottom line is that there are always going to be risks for corporations when deploying new solutions. Instead of blaming vendors, the best insurance for companies is to discover and address vulnerabilities within their network before they become a target for attacks.

Corporations need to realize that buying security technologies is only one step. While they may have made major investments in security products, the reality is that most of the existing solutions are largely reactive in nature and fail to address the bigger picture.

Take, for instance, a widely deployed security technology such as intrusion detection systems, which address the need to know when someone is breaking into your network. When using this method, you are waiting for a break-in to occur and reacting to each occurrence. If an organization is constantly in reaction mode when it comes to network security, the predictability and safety that the security technologies are meant to instill are seriously degraded.

Another current failing of most network security offerings is that the majority are stand-alone offerings. So while you may have all the right technology deployed, you only have piecemeal information--not real intelligence--as each product is only identifying one part of the problem.

Without intelligence, security is little more than guesswork.

This means that your information technology staff is left with the time-consuming task of analyzing all this information and then using guesswork to piece together an overall picture of the health of the network. Without intelligence, security is little more than guesswork.

The reality is that corporations need to be responsible for their own protection. There's a lot to lose, as the financial and business costs of recovering from an attack can be debilitating.

Over the long term, for corporations to be successful, they must take decisive action to quickly change existing thinking and processes to be more proactive. An intelligence-based approach that addresses all aspects of network security will empower corporations to make informed, strategic decisions before attacks occur.

In taking responsibility for security, there are a few best practices that every corporation should adopt when it comes to making investments in security technology. Most importantly, solutions must be assessed based on their ability to provide a truly proactive approach to network security and how they will fit within a corporate security culture that's centered on prevention.

A big part of changing how your organization thinks about security is ensuring that purchasing decisions are made on actual need and not hype. In such a noisy industry, analysts and vendors are constantly touting one security technology or another as the next must-have. It is quite easy to fall victim to this hype. To ensure that any purchases are in line with your overall strategy, you need to assess any new solutions with an in-depth understanding of your organization's network environment and look at key factors such as deployment and accuracy.

Keep in mind the critical role of intelligence in ensuring the overall security of your network. Intelligence integration is key. Adding another stand-alone security solution will only add to the headache of figuring out where vulnerabilities really are and how to fix them. The good news is that the network security industry is moving toward greater integration. Already, vulnerability management systems are being used to correlate data from other systems, extending the intelligence of intrusion detection and prevention systems, along with firewall offerings.

Moving beyond technology, corporations need to have a clear and concise security policy that is strictly enforced. While it is easy to commit a set of directives to paper, the true challenge is compliance. Wherever possible, you should be looking for ways to both prevent security breaches and identify violations before they can become a threat. Without actively ensuring compliance, your employees can unwittingly be a threat to the overall security of the network.

Finally, when it comes to security, activities should be planned where proactive measures are being taken to prevent attack. By making the necessary financial and time investments ahead of the curve, corporations can plan and measure the success of their security program in a predictable and controlled way, instead of waiting to clean up after an attack.